redline | 0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b

General

Target

0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe
Size

784KB
MD5

69dab86413f92fe8993c1cfe9e7e669b
SHA1

1dcbe52b8fbb742bdee9bb9e1ea19aa02e1ef51b
SHA256

0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b
SHA512

aeddc58f50795b98234f58342b170aad156a6e01329a250de8233e46b5145b8dd216e7c76a5dbe9f5afb4fb6df0b7f0d8f6e6c254d041b0d387fe2fb7ad2fe4a
SSDEEP

24576:wy2JQsE2dwYRGk8xwDfOiai0mACblSIb1X:32JdzrRGkTifiM2D

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2836	x0225384.exe
2040	x0534091.exe
3300	h1307142.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0225384.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0534091.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 2836	4184	0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe	86
PID 4184 wrote to memory of 2836	4184	0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe	86
PID 4184 wrote to memory of 2836	4184	0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe	86
PID 2836 wrote to memory of 2040	2836	x0225384.exe	87
PID 2836 wrote to memory of 2040	2836	x0225384.exe	87
PID 2836 wrote to memory of 2040	2836	x0225384.exe	87
PID 2040 wrote to memory of 3300	2040	x0534091.exe	88
PID 2040 wrote to memory of 3300	2040	x0534091.exe	88
PID 2040 wrote to memory of 3300	2040	x0534091.exe	88

C:\Users\Admin\AppData\Local\Temp\0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe
"C:\Users\Admin\AppData\Local\Temp\0e3508f8361a9cebdedc16c29e24de272c88e9ff21de7175d0fe924d18a9e89b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0225384.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0225384.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0534091.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0534091.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1307142.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1307142.exe
      4⤵
      Executes dropped EXE
      PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0225384.exe

Filesize
682KB

MD5
53d56ce6037e17536b90a0176fd1fed1

SHA1
97076b2163e3ac0cd5761849d341387cf2c054e7

SHA256
bacca3ce19ca649be2d175f2430889ffe91f066d1f415b8f69e00cdc3dfe8dfa

SHA512
4bd48cc0a70411a4b09d9e04ddc303bbfd42e68f28bda9f78a1e8a2b563692c94c4b91f5ee7611f8ed7fceec488e10f1b12bb40e5baccdccc4a211dc0fccf569

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0225384.exe

Filesize
682KB

MD5
53d56ce6037e17536b90a0176fd1fed1

SHA1
97076b2163e3ac0cd5761849d341387cf2c054e7

SHA256
bacca3ce19ca649be2d175f2430889ffe91f066d1f415b8f69e00cdc3dfe8dfa

SHA512
4bd48cc0a70411a4b09d9e04ddc303bbfd42e68f28bda9f78a1e8a2b563692c94c4b91f5ee7611f8ed7fceec488e10f1b12bb40e5baccdccc4a211dc0fccf569

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0534091.exe

Filesize
292KB

MD5
d33853e32ae532622c37d37576e9bf0b

SHA1
999c636420485f5ff374efc7d8445ff02435b712

SHA256
eb0be8a2fbb9a9b2f89ddaab3f859e877d866cfc3e0427236124e2ad85ec1294

SHA512
0f5dca3112fb8a72039c0010c4a62ff1063ec24d2d4519c45e7b20a43c21c03ccdaf776e04b1c2afa0efb6984d8089e4db8a3ea00e29477868dd7110ee6df33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0534091.exe

Filesize
292KB

MD5
d33853e32ae532622c37d37576e9bf0b

SHA1
999c636420485f5ff374efc7d8445ff02435b712

SHA256
eb0be8a2fbb9a9b2f89ddaab3f859e877d866cfc3e0427236124e2ad85ec1294

SHA512
0f5dca3112fb8a72039c0010c4a62ff1063ec24d2d4519c45e7b20a43c21c03ccdaf776e04b1c2afa0efb6984d8089e4db8a3ea00e29477868dd7110ee6df33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1307142.exe

Filesize
174KB

MD5
5b65ee5934b5f9fa43c3e7c2f2ebc5ba

SHA1
731bfa8e277658f5c78a19b77446b74bab061689

SHA256
c1f8fcdc363fbde2ed5d943a9fcc4d39927ac3e495bcb1a8ffa57e7be7dbc58b

SHA512
93bc0fbe0fa8a136cdd9cd82e685dc4f2e82e8fb1481f2c8c5a30244c85465ab11004ce9dc2c65b1934ce41961a3077aef8c8f9b3b461650a09cf5b50a44b2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1307142.exe

Filesize
174KB

MD5
5b65ee5934b5f9fa43c3e7c2f2ebc5ba

SHA1
731bfa8e277658f5c78a19b77446b74bab061689

SHA256
c1f8fcdc363fbde2ed5d943a9fcc4d39927ac3e495bcb1a8ffa57e7be7dbc58b

SHA512
93bc0fbe0fa8a136cdd9cd82e685dc4f2e82e8fb1481f2c8c5a30244c85465ab11004ce9dc2c65b1934ce41961a3077aef8c8f9b3b461650a09cf5b50a44b2c5

Download Submit
memory/3300-23-0x0000000004FB0000-0x0000000004FB6000-memory.dmp

Filesize
24KB

Download
memory/3300-22-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3300-21-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3300-24-0x0000000005780000-0x0000000005D98000-memory.dmp

Filesize
6.1MB

Download
memory/3300-25-0x0000000005270000-0x000000000537A000-memory.dmp

Filesize
1.0MB

Download
memory/3300-27-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3300-26-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/3300-28-0x00000000051C0000-0x00000000051FC000-memory.dmp

Filesize
240KB

Download
memory/3300-29-0x0000000005200000-0x000000000524C000-memory.dmp

Filesize
304KB

Download
memory/3300-30-0x0000000074160000-0x0000000074910000-memory.dmp

Filesize
7.7MB

Download
memory/3300-31-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads